Exception policy templates
Learn about the predefined exception policy templates and how to customize them.
Endor Labs provides the following exception policy templates that you can use to quickly create exception policies. Each exception policy template provides parameters to help you customize the conditions under which an exception is applied.
Common
Allows you to define exceptions for common use cases such as:
- Exclude a specific finding, for a specific package, for a specific dependency.
- Exclude all findings for a specific dependency.
- Exclude all findings for a specific package.
- Exclude all vulnerabilities that do not have a patch available.
| Parameter | Description |
|---|---|
| Vulnerability ID | Specify a vulnerability identifier, for example, CVE-2024-3727 or GHSA-qh2h-chj9-jffq. |
| Finding Name Contains | Match full or partial finding name. |
| Dependency Name Contains | Match full or partial dependency name. |
| Package Name Contains | Match full or partial package name. Do not specify a package version here if you want the exception to apply to multiple versions of the package. |
| Fix Availability | Select ‘Fix Not Available’ to apply the exception if a patch is not available for the dependency. |
Custom
Allows you to define where exceptions apply based on custom criteria that are less common for findings.
| Parameter | Description |
|---|---|
| Vulnerability ID | Specify a vulnerability identifier, for example, CVE-2024-3727 or GHSA-qh2h-chj9-jffq. |
| Finding Name Contains | Match full or partial finding name. |
| Dependency Name Contains | Match full or partial dependency name. |
| Package Name Contains | Match full or partial package name. Do not specify a package version here if you want the exception to apply to multiple versions of the package. |
| Fix Availability | Select ‘Fix Not Available’ to apply the exception if a patch is not available for the dependency. |
| Category | Match finding category. |
| Type | Match finding type. |
| Severity | Match finding severity. |
| Relationship | Select ‘Direct Dependency’ to only match findings for direct dependencies, or ‘Transitive Dependency’ to only match findings for transitive dependencies. |
| Dependency Reachability | Select ‘Unreachable Dependency’ to only match findings where the vulnerable dependency is not reachable. |
| Function Reachability | Select ‘Unreachable Function’ to only match findings where the vulnerable function is not reachable. |
| Source Code Ecosystem | Match finding ecosystem. |
| Custom Tag | Apply exceptions to findings with this meta tag, set by the policy that generated the finding or via the --finding-tags CLI option. Note that these tags are different and separate from the system-defined finding tags. |
| Include Path | Only match findings matching this glob style file pattern, for example src/golang/**. |
| Exclude Path | Do not match findings matching this glob style file pattern, for example src/golang/**. |
Feedback
Was this page helpful?
Thanks for the feedback. Write to us at support@endor.ai to tell us more.
Thanks for the feedback. Write to us at support@endor.ai to tell us more.